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We study two different ways to enhance PAFAS, a process algebra for modelling asynchronous timed 
concurrent systems, with non-blocking reading actions. We first add reading in the form of a read- 
action prefix operator. This operator is very flexible, but its somewhat complex semantics requires 
two types of transition relations. We also present a read-set prefix operator with a simpler semantics, 
but with syntactic restrictions. We discuss the expressiveness of read prefixes; in particular, we 
compare them to read-arcs in Petri nets and justify the simple semantics of the second variant by 
showing that its processes can be translated into processes of the first with timed-bisimilar behaviour. 
It is still an open problem whether the first algebra is more expressive than the second; we give a 
number of laws that are interesting in their own right, and can help to find a backward translation. 

1 Introduction 

Non-blocking reading is an important feature e.g. for proving the liveness of MUTEX solutions under 
the progress assumption (aka weak fairness). We study the first process algebra with non-blocking read 
actions, where 'read' refers to accessing a variable, e.g. modelled as a separate process Var. Observe that 
read is an activity of Var, and in a setting with explicit modelling of data, it would rather be an output 
than an input action of Var. 

Non-blocking reading is known from Petri nets, where it has been added in the form of read arcs; 
these allow multiple concurrent reading of the same resource, a quite frequent situation in many dis- 
tributed systems. Read arcs represent positive context conditions, i.e. elements which are needed for an 
event to occur, but are not affected by it. As argued in 1 17"], the importance of such elements is twofold. 
Firstly, they allow a faithful representation of systems where the notion of "reading without consuming" 
is commonly used, like database systems ll20l or any computation framework based on shared memory. 
Secondly, they allow to specify directly and naturally a level of concurrency greater than in classical nets: 
two transitions reading the same place may also occur simultaneously; in classical nets, the transitions 
would be connected to the place by loops (namely, i.e. reading is modelled through a "rewrite" operation) 
which does not allow the simultaneous execution of two tasks that read the same resource. Read arcs 
have been used to model a variety of applications such as transaction serialisability in databases EOlL 
concurrent constraint programming [18], asynchronous systems ll22TL and cryptographic protocols fl4l . 
Reading is also related to the notion of persistence e.g. in several calculi for describing and analysing 
security protocols; in particular, persistent messages (that can be read but not consumed) are used to 
model that every message can be remembered by the spy (see |4J and the references therein). 
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Semantics and expressivity of read arcs have been studied e.g. in the following: [5] discusses a step 
semantics; [2] shows that timed Petri nets with read arcs unify timed Petri nets and timed automata. 
Finally, 11221 shows that read arcs add relevant expressivity; the MUTEX problem can be solved with 
nets having read arcs but not with ordinary nets having no read arcs. 

In this paper, we present two different ways to enhance PAFAS [11], a process algebra for modelling 
asynchronous timed concurrent systems, with non-blocking reading actions. PAFAS was introduced for 
evaluating the worst-case efficiency of asynchronous systems. It was also used in E HI for studying 
(weak) fairness of actions and components in system computations, similarly to results of [22J for a Petri 
net setting. This fairness requires that an action has to be performed (a component has to perform an 
action, resp.), whenever it is enabled continuously in a run. Fairness can be defined in an intuitive but 
complicated way in the spirit of lfl3l [121 . and we proved that each everlasting (or non-Zeno maximal) 
timed run is fair and vice versa Q. We used these characterisations in [ 8 ] to prove that Dekker's MUTEX 
algorithm satisfies the respective liveness property under the assumption of fairness of components, while 
this fails under fairness of actions. To improve this, one needs suitable assumptions about the hardware, 
cf. Ifl9l . namely that reading a value from a storage cell is non-blocking; to model this we introduce 
specific reading prefixes for PAFAS. 

We first add reading in the form of a read-action prefix a > Q (the new process language is called 
PAFAS,-), which behaves as Q but, like a variable or a more complex data structure, can also be read 
with the action a. Since being read should not change the state, a can be repeated until the execution of 
some ordinary action of Q. Thus, e.g. a>b.n'\\ can perform any number of a's until it terminates via an 
ordinary b. The operational semantics for a > Q needs two types of transition relations to properly deal 
e.g. with sequences of read actions. 

Under some syntactic restrictions, the semantics can be simplified. To be still able to express se- 
quences of read actions directly, we introduced a read-set operator {a\,--- ,a n }>Q in the language 
PAFAS 4 . In |9j, we already used PAFAS. V to show the correctness of Dekker's algorithm: regarding 
some actions as reading, this algorithm satisfies MUTEX liveness already under the assumption of fair- 
ness of actions. It had long been an open problem how to achieve such a result in a process algebra IT231 . 
The simpler semantics of PAFAS. S is helpful for building tools. Indeed, we have already proved some 
MUTEX algorithms correct or incorrect with the aid of the automated verification tool FASE [31 . We 
plan to continue this work by also considering the efficiency of MUTEX algorithms and other systems. 

In this paper, we study PAFAS,- and PAFAS. V further with special attention to expressiveness. The first 
issue is that PAFAS r models non-blocking reading in an intuitive way, while the necessary restrictions 
in case of PAFAS S are not so obvious. In fact, the investigations for this paper have disclosed that the 
restrictions in (9l still allowed processes with a contra-intuitive semantics. To rectify this subtle mistake, 
we give an improved definition of proper PAFAS V processed, and we show how to translate each proper 
process Q into a PAFAS r process whose timed behaviour is bisimilar and even isomorphic to that of Q. 
This shows at the same time that a proper process really has an intuitive behaviour and that PAFAS,- is at 
least as expressive as the proper fragment of PAFASj. 

In this paper, we additionally show that safe Petri nets with read-arcs as in |[22l can be modelled with 
proper PAFAS. V processes. It is still an open problem whether PAFAS r is more expressive than PAFAS. S ; 
we present a number of laws that are interesting in their own right and give a backward translation for 
a fragment of PAFAS,-. Constructing a general backward translation seems to be related to finding an 
expansion law for PAFAS,- processes, a law that is not even known for standard PAFAS processes. 

We have also extended the correspondence between fair and everlasting runs; thus, also in PAFAS r 



Luckily, the model of Dekker's algorithm in 1 9 1 is also proper as defined here. 
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and in PAFAS. S , we capture fairness with timed behaviour. To demonstrate the extended expressiveness 
of reading with a concrete example, we prove that no finite-state process in standard PAFAS has the same 
fair language as a>b.n'\\ (Theorem 12. 5 1 ). 

The rest of the paper is organised as follows. Sections |2] and [3] introduce PAFAS r and PAFAS V 
with their respective timed operational semantics and prove result regarding a>b. Section [4] provides 
a mapping from PAFAS V to PAFAS r and presents the result for Petri nets. The backward translation is 
discussed in Section [5] Finally, Section [6] presents some concluding remarks. Some proofs can be found 
in the appendices. 



2 A process algebra for describing read behaviours 

In this section, we introduce PAFAS r and give a first expressiveness result. PAFAS is a CCS-like process 
description language lfl6l (with a TCSP-like parallel composition HI), where actions are atomic and 
instantaneous but have associated an upper time bound (either or 1, for simplicity) interpreted as a 
maximal time delay for their execution. As explained in ifTTTl . these upper time bounds can be used for 
evaluating the performance of asynchronous systems, but do not influence functionality (which actions 
are performed); so compared to CCS, also PAFAS treats the full functionality of asynchronous systems. 
W.r.t. the original language, here we introduce the new read prefix > to represent non-blocking behaviour 
of processes. Intuitively, the term a t>P models a process like a variable or a more complex data structure 
that behaves as P but can additionally be read with a: since being read does not change the state, a 
can be performed repeatedly until the execution of some ordinary action of P, and it does not block a 
synchronisation partner (a reading process) as described below. 

We use the following notation. A is an infinite set of visible actions. An additional action z is used 
to represent internal activity, which is unobservable for other components. We define A T = AU {z}. 

Elements of A are denoted by a,b,c, .. . and those of A T by a, j8, Actions in A T can let time 1 pass 

before their execution, i.e. 1 is their maximal delay. After that time, they become urgent actions written 
a or t; these cannot be delayed. The set of urgent actions is denoted by A T = {a \ a € A} U {t} and is 

ranged over by a, j8, Elements of A T U A T are ranged over by ju. 3C (ranged over by x,y,z, . . .) is the 

set of process variables, used for recursive definitions. <I> : A T — > A T is a general relabelling function 
if the set {oc E A T | ^ <l> _1 (a) / {a}} is finite and <I>(t) = z. Such a function can also be used to 
define hiding: P/A, where the actions in A are made internal, is the same as / > [^E>a]» where the relabelling 
function <3> A is defined by <& A (a) = z if a e A and 3>a(«) = a if a ^ A. 

We assume that time elapses in a discrete wajH. Thus, an action prefixed process a.P can either do 
action a and become process P (as usual in CCS) or can let one time step pass and become a.P ; a is 
called urgent a, and a.P cannot delay a, but as a stand-alone process can only do a to become P. In 
the following, initial processes are just processes of a standard process algebra extended with >. General 
processes include all processes reachable from the initial ones according to the operational semantics to 
be defined below. 

The sets Pi of initial (timed) process terms P and P of (general) (timed) process terms Q is generated 
by the following grammar: 



2 PAFAS is not time domain dependent, meaning that the choice of discrete or continuous time makes no difference for the 
testing-based semantics of asynchronous systems, see 1111 for more details. 
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P ::= nil | x \ a.P \ a>P \ P + P \ P\\ A P \ P[<I>] | recx.P 
Q ::= P\a.P\p>Q\Q + Q\Q\\ A Q\Q[^}\recx.Q 

where nil is a constant, x G 5£ , a G A T , p G A T U A T , <!> is a general relabelling function and A C A 
possibly infinite. We say that a variable x G i£T is guarded in G if it only appears in the scope of some 
p € A T U A T . We assume that recursion is guarded, i.e. for recx.G variable x is guarded in Q. A process 
term is closed if every variable x is bound by the corresponding recx-operator; the set of closed timed 
process terms in P and Pi, simply called processes and initial processes resp., is denoted by P and Pi 
resp. 

We briefly describe the operators. The nil-process cannot perform any action, but may let time pass 
without limit. A trailing nil will often be omitted, so e.g. a.b + c abbreviates a.b.nW +c.nil. p.Q is 
(action-)prefixing known from CCS. Read-prefixed terms a>Q and a>Q behave like Q except for the 
(lazy and urgent, resp.) non-blocking action a. In both cases a is always enabled until component Q 
evolves via some ordinary action; moreover, a stays urgent even if it is performed. Gi + G2 models 
the choice between processes Gi an d Qi- Gi |U Q2 i s the parallel composition of two processes Gi an d 
G2 that run in parallel and have to synchronise on all actions from A; this synchronisation discipline is 
inspired from TCSP. Q[<&\ behaves as Q but with the actions changed according to <J>. recx.G models a 
recursive definition. We often use equations to define recursive processes, e.g. P <= a.P + b; in contrast, 
= stands for syntactically equal. Below we use the (syntactic) sort of a process that contains all visible 
actions the process can ever perform. 

Definition 2.1 (sort) For a general relabelling function <J> let ib(<t>) = {a G A 1 / <J> 1 (a) ^ {a}} (the 
image base of <1>); by definition of a general relabelling function, ib(<&) is finite. The sort of Q G P is the 
set Jz^(G) = {a € A | a occurs in Q} U occurs in q M®)- 

The transitional semantics describing the functional behaviour of PAFAS r terms indicates which 

(X oc 

actions they can perform. We need two different transition relations \-t and ~~> to describe, resp., the 
ordinary and the reading behaviour of PAFAS r processes. The functional behaviour is the union of these 
two kinds of behaviour. 

Definition 2.2 (functional operational semantics) Let Q G P and a G A T . We say that Q — > Q' if Q A Q 1 
or G G'> where the SOS-rules defining the transition relations Ac (PxP) (the ordinary action 
transitions) and -^»C (P x P) (the read action transitions) for cc G A T , are given in Tables Q] and |2j respJH 
As usual, we write Q — > Q' if (Q,Q ! ) G— > and Q — > if Q — > Q' for some Q' G P; and analogously for 
other types of transition relations. 

Rule Pref in Table [T] describes the behaviour of an action-prefixed process as usual in CCS. Note 

that timing can be disregarded: when an action is performed, one cannot see whether it was urgent or 

a 

not, and thus a.P h-> P; furthermore, a.P has to act within time 1, i.e. it can also act immediately, giving 

a 

a.P 1 — y P. Rule Read says that p >Q performs the same ordinary actions as Q removing the read- 
prefix at the same time. Note that in rule Par„, , an ordinary action transition can synchronise with both 
an ordinary and a read action transition. The other rules are as expected. Symmetric rules have been 
omitted. 

3 We do here without functions clean and unmark, used e.g. in |7) to get a closer relationship between states of untimed fair 
runs and timed non-Zeno runs. They do not change the behaviour (up to an injective bisimulation) and would complicate the 
setting. 
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Aie{a,a} Q^Q' 2i A Q 

Pref„ Read„ Sum 



11.P&P n>Q&Q' Q1 + Q2&Q' 



Par i Par o2 



Q1UQ2& Q'xWaQi ' Qi\\aQ2&Q'A\aQ'2 

Q&Q' n Q{recx.Q/x}&Q> 

Rel„ -r-- Rec ( 



G[*] *# } Q'm recx.Q&Q' 
Table 1: Ordinary behaviour of PAFAS r processes 



READ r i READ r 2 SUM r 



PAR r i PAR r 2- 



1 

2 



Qi\\aQ2^Q[\\aQ2 ' Qi\\aQ2^Q[\\aQ' 2 



Q^Q' Q{recx.Q/x} A Q' 



REL r ^— REC r - 

e [4>] ^g'[4>] recx.Q^Q' 
Table 2: Reading Behaviour of PAFAS r processes 

Most of the rules in Table [2] say that the execution of reading actions does not change the state of a 
term Q. Rule READ r 2 is crucial to manage arbitrarily nested reading actions; contrast it with Read c . 
Due to technical reasons, rule REC r allows unfolding of recursive terms; thus e.g. recx.a\> b.x ai> 
b.(recx.aob.x). Notice that this leads to a timed bisimilar process, cf. Sectional 

To give SOS-rules for the time steps of process terms, we consider (partial) time-steps like Q —t r Q' 
where the set X C A (called a refusal set) consists of non-urgent actions. Hence Q is justified in delaying, 
i.e. refusing them; Q can take part in a real time step only if it has to synchronise on its urgent actions, 
and these are delayed by the environment. If X = A then Q is fully justified in performing this full unit- 
time step; i.e., Q can perform it independently of the environment. If Q A> Q', we write Q Q'; we say 
that Q performs a I -step. 

Definition 2.3 (refusal transitional semantics) The inference rules in Table [3] define — > r C P x IP where 
X C A. A refusal trace of a term Q € P records from a run of Q which visible actions are performed 

(Q Q', a £ A) and which actions Q refuses to perform when time elapses (Q —> r Q ', X C A); i.e. a 
refusal trace of Q is the sequence of actions from A and refusal sets C A occurring in a finite transition 
sequence from Q (abstracting from T-transitions). 

Rule Pref ?1 says that a.P can let time pass and refuse to perform any action while rule PREF h says 
that a.P can let time pass in an appropriate context, but cannot refuse the action a. Process T.P cannot 
let time pass at all since, in any context, x.P has to perform T before time can pass further. Rule Par, 
defines which actions a parallel composition can refuse during a time-step. Q\ \\aQi can refuse the action 
a if either a ^ A and a can be refused by both Q\ and Q2 or a € A and at least one of Q\ and Q2 can 
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a£XU{T} 

Nil, Pref,i Pref, 2 

nil — > r nil a.P—> r a.P a.P — > r a.P 

Q\Q' n Q\Q',a^XU{x} 

READ,! READ;2 ■ 



X X 

a>Q — at>Q' cc>Q — >r ac>Q' 

c Q, *> r 0, fori = 1,2 Q ^^m rQ/ 

Sum, Rel,- 



Qi+Q2\-Q[ + Q' 2 Qm^rQ'm 

Q{recx.Q/x} \ Q' Q, \ Q\ for i = 1,2,X C (An (Xj UX 2 )) U ((Zj nX 2 )\A) 

Req Par,- 



recx.Q\Q< QiWaQi Q[\\aQ' 2 

Table 3: Refusal transitional semantics of PAFAS r processes 

delay it, forcing the other <2, to wait. Thus, an action is urgent (cannot be further delayed) only when all 
synchronising 'local' actions are urgent. The other rules are as expected. 

Example 2.4 As an example for the definitions given so far, consider an array with two Boolean values 
t and / and define its behaviour as B t f = P t \\aQ/ where P t <^= r tt > (rj owj-.Py ■) + r t ft>(r} >w\.Pf), Qf <^= 
r t f> (rj>wf.Q t ) + r/f> (rj >wj.Q t ) and A = {rtj\i,j G {t,f}}. Actions r,y, where i,j £ {t,f}, allow 
reading both entries at the same time, while and w k j represent, resp., the reading and the writing of 

the value j G {?,/} for the entry k € {1,2}. By rules READ r i and READ r2 , B tf B tf and B t f -w B tf 
describing non-blocking reading. P t offers a choice between r t f and r tt , where synchronisation disallows 
the latter. Performing w| after a 1-step does not change the second component, so rj^ is still urgent; this 
shows that wj does not block rj. With just one type of action transition, P t would lose the prefix r t f> 
when performing rj. Only the execution of an ordinary action can change the state of the array, e.g. 

B tf h4 Bff = P f \\ A Q f by Rule READ . 

In ifTTTl . it is shown that inclusion of refusal traces characterises an efficiency preorder which is intuitively 
justified by a testing scenario. In this sense, e.g. P = a>b is faster than the functionally equivalent 
Q = recx. {a.x + b), since only the latter has the refusal traces \a(\a)*: after la, Q returns to itself, since 
recursion unfolding creates fresh a and b; intuitively, b is disabled during the occurrence of a, so a and 
also b can be delayed again. In contrast, after a time step and any number of as, P turns into aob and no 
further 1-step is possible. Since read actions do not block or delay other activities, they make processes 
faster and, hence, have an impact on timed behaviour of systems. If a models the reading of a value 
stored by P or Q and two parallel processes want to read it, this should take at most time 1 in a setting 
with non-blocking reads. And indeed, whereas Q \\^ (a W^a) has the refusal trace lala, this behaviour 
is not possible for P [| r a i (a Thus, P offers a. faster service. 

Another application of refusal traces is the modelling of weak fairness of actions. Weak fairness re- 
quires that an action must be performed whenever continuously enabled in a run. Thus, a run from P with 
infinitely many a's is not fair; the read action does not block b or change the state, so the same b is always 
enabled but never performed. In contrast, if Q performs a, a fresh b is created; in conformance to fl2l . 
a run with infinitely many a's is fair. In HOl . generalising [7], fair traces for PAFAS,- (and PAFAS S ) are 
first defined in an intuitive, but very complex fashion in the spirit of [ 12] and then characterised: they are 
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the sequences of visible actions occurring in transition sequences with infinitely many 1-step^]. Due to 
lack of space, we cannot properly formulate this as a theorem, but take it as a (time-based) definition of 
fair traces instead; Fairl_(/?) is the set of fair traces of R. With this, infinitely many a's are a fair trace of 
Q since it can repeat la indefinitely, but the fair traces of finite-state P are those that end with b. This 
shows an added expressivity of read prefixes: 

Theorem 2.5 IfR € P is a finite-state process without read-prefixes and with sort J£(R) = {a,b}, then 
FairL(#) ^ {a'b\i > 0} = Fa\rl(a>b). 

We can view fairness as imposing a kind of priority for b in P since, in contrast to a, it must be 
executed in a fair trace. This is of course very different from the usual treatment of priorities [6], since 
a can be prefered to b for a number of times. The following example shows that read actions can model 
more than two levels of priority. 

Example 2.6 In P = at> ((recx.b.x) b>c), there are three levels of priority: in a fair trace we can 
perform arbitrarily many a's while both b and c remain enabled and have priority - so far, we can have 
at most one 1-step. If b occurs, the action a disappears but we can perform arbitrarily many b\ while c 
remains enabled and has priority - with, still, at most one 1-step. Formally, with a 1-step P evolves into 
P = a> (b.(recx.b.x) \\^ b>c). P can perform an a to itself, a c (and become b.(recx.b.x) nil), or 
repeated b's to ((recx.b.x) ||^} b>c; no further 1-steps are possible due to the urgent c; so in a fair trace, 
finally c is performed to ((recx.b.x) ||/m. nil) - where infinitely many 1-steps are possible. 

3 A read operator with a simpler semantics 

b 

The special reading transitions of PAFAS r are needed to properly derive e.g. P = a>b>Q^a>b>Q. 
To get a simpler semantics, the idea is to collect all enabled reading actions of a 'sequential component' 
in a set and write e.g. P as {a,b}>c. Thus, we define a new kind of read operator {jUi, . . . > (2 
with a slightly different syntax. In this way we try to avoid terms with nested reading actions and, as a 
consequence, we can describe the behaviour of the new PAFAS A processes by means of a simpler timed 
operational semantics with just one type of action transitions. A price to pay is that not all PAFAS S pro- 
cesses have a reasonable semantics; but the subset with a reasonable semantics is practically expressive 
enough (e.g. for expressing MUTEX solutions adequately) due to the set of reading actions, cf. O. 

The sets Si of initial (timed) process terms P and S of (general) (timed) process terms Q is generated 
by the following grammar: 

P ::= n\\\x\a.P\{a u ...,a n }>P\P + P\P\\ A P\P[<5>] \ recx.P 
Q ■■■■= P\a.P\{^,...^ n }>Q\Q + Q\Q\\ A Q\Qm \recx.Q 

where nil is a constant, x € a E A T , {(Xi, . . . ,a n } C A T finite, {/ii,...,/i„} is a finite subset of 
A T U A T that cannot contain two copies (one lazy and the other one urgent) of the same action a, i.e. 
| {a, a} n {jUi, . . . ,jli n }| < 1 for any a G A T . Again, <£> is a general relabelling function and AC A 
possibly infinite. Also in this section, recursion is guarded. The sets of closed timed process terms in S 
and §i, simply called processes and initial processes resp., are S and §i resp. 



4 Observe that |9 | just contains the application presented in [ 10 1; PAFAS r is not treated there at all. 
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CC 

Definition 3.1 (functional operational semantics) The SOS-rules defining the transition relations — >Q 
(S x S) (the action transitions) are those in Table \tn where we replace the rule Read with: 

me {a, a} Q^Q' 

READji READ.2 ■ 



{li 1 ,...,H n }>Q^ {Mi,-.-,M«}><2 {u. u ...,jj, n }i>Q^ Q' 



Definition 3.2 (refusal transitional semantics) The inference rules defining the transition relation — > r C 
Sx§ where X C A are those in Table [3] where we replace the rules Read,i and Read^ with: 



Q\Q', «r({/ii,...,M)n(3ru{T}) = 
Read, 

{Hi,...,H„}>q\ {p, h ...,p, n }>Q' 



where ^({jUi, ... ,/!„}) = {a|jU,- = aforsome/ £ [l,n]} and {jUi, . . . ,jlt„} is the set obtained from 
{/Xi , . . . , ;ii„} by replacing each a by a. 

A term 2 € S is read-guarded if every subterm of 2 of the form {p.[ , . . . , p. n } > Q' is in the scope of some 
action prefix jU.Q. 2 € S is read-proper if each subterm <2i + <2 2 is read-guarded and, for each subterm 

, • • ■ ,l~tn} >Qi, Q\ is read-guarded. We say that Q is x-proper if any free x is guarded in any subterm 
Qi + Q2, ■ • ■ , Mfi} > <2i and recy.Qi. Q is rec-proper if for any subterm recx.<2i, Q\ is either read- 
guarded or x-proper. A term Q is proper if it is read- and rec-proper. Below, we will prove that proper 
terms have a reasonable semantics by relating them to PAFAS r processes with the same behaviour. An 
important feature of properness is that processes without read-prefixes are proper. 

According to the definitions given so far, neither P = {a} > {b} > Q nor P' = {a} > Q' + {b} Q 

are read-proper because of {b} Q. An essential idea of reading is that it does not change the state 

h 

of a process and therefore does not block other actions. With this, we should have P — > P, but really 

we have P — > {b} > Q. Similarly, we have P 1 A- {b} > Q instead of P' — > P' . Hence, we exclude such 
processes. There is also a problem with the term P = recjc.{a} \>b.(c + x). Indeed, P can perform a b 
and evolve to c + recx.ja} >&.(c +jc) which is not read-proper. Since the body of this recursion is not 
read-guarded, x has to be treated as a read-prefix term, i.e. the body has to be x-proper. A subtle detail is 
the consideration of recursive subterms in the definition of x-proper. Without this detail, Q = recx.ja} > 

b.recy.(c.(c+y) ||bx) would be proper. But, Q-^ recy. (c.(c+y) || <2) (c + recy.(c.(c+ y) \\q>Q)) \\v>Q. 
Notice that rec y.(c.(c +y) \\®Q), and hence c + recy.(c.(c + y) \\<nQ), is not read-proper. 

In contrast to the restriction to proper terms, we can freely use read-prefixes in PAFAS r , see e.g. the 
process in Example 12 .4 [ this would have the wrong semantics in PAFAS. S , i.e. if we change r ; j > and 
r k j > (for i,j G {/,/} and k £ {1,2}) into {r/y}> and {r k j}>. The restriction only makes sense because of 
Prop. 13.31 which requires a careful, detailed proof. 

~ cc X 1 

Proposition 3.3 Let Q € S be proper. Q—^Q or Q — >> Q' implies Q' proper. 

Actually, the result in |[T0l is not correct since we used an insufficient restriction there. But, luckily the 
PAFAS iS process we used to model Dekker's MUTEX algorithm is proper. This can been easily seen 
since proper processes are closed w.r.t. parallel composition and relabelling. 



5 To be formally precise: we have to replace all arrows >-¥ in Table[TJby — K 



F. Corradini, M.R. Di Berardini & W. Vogler 



39 



4 Expressivity of PAFAS S 

In this section we compare the expressivity of PAFAS S with that of PAFAS,- and Petri nets. A first result 
shows that for each proper Q G S there is a term in P whose behaviour is (timed) bisimilar and even 
isomorphic to that of Q. 

Definition 4.1 (timed bisimulation) A binary relation y CPxP over processes is a timed bisimulation 
if (Q,R) G y implies, for all a € A T and all X C A: 

- whenever Q A Q' (Q A Q ', Q h r Q') then, for some R' , R^R' {RA R' , R ^ r R', resp.) and 

{Q',R')ey; 

- whenever R&R' (fl A R', R^ r R') then, for some Q', Q^>Q' (Q& Q' , Q Q ', resp.) and 
(Q',R')ey. 

Two processes Q,R £ P are timed bisimilar (bisimilar for short, written 2 ~ /?) if (Q,R) € for some 
timed bisimulation ,5^. This definition is extended to open terms as usual; two open terms are bisimilar 
if they are so for all closed substitutions. It can be proved in a standard fashion that timed bisimilarity 
is a congruence w.r.t. all PAFAS,- operators. The same definition, but omitting the reading transitions, 
applies to PAFAS S . 

We start by providing a translation function that maps terms in S into corresponding terms in P; to 
regard [[_]],- as a function in the read-case, we have to assume that actions are totally ordered, and that the 
actions of a read-set are listed according to this order. 

Definition 4.2 (a translation function) For Q € S proper, [[<2]] r is defined by induction on Q (subterms of 
Q are also proper) as follows : 

Nil, Var, Pref : [nil]], = nil, \x\ r =x, ^.P]] r = fi.\P% 



Read: [[{jiti ,...,Hn}> Q]] r = Hi >■ ..>Hn> [Mr 

Sum: [[Ql+Q2]}r=[[Ql}}r+[[Q2}]r 

Par: [Qi |U Qi\r = iQil \\a iQih 

Rel: [[QMl ^ $QM*] 

Rec: [[rec.x-.e]] r = recA-.[[<2]],. 



This translation is pretty obvious, but its correctness is not; observe that Theorem 14.31 does not hold 
for all PAFAS S processes; cf. the processes P = {a} > {b} > Q and P' = {a} >Q' + {b} > Q at the end 
of Section [3] Function [[]] r is injective on proper terms; except for the read-case, this is easy since [[]] r 
preserves all other operators. In the read-case, Q is read-guarded, i.e. the top-operator of Q and [[2]],- is 
not >; the read-set can be read off from J{jUi, . . . ,/!„} i> Qj r as the maximal sequence of o-prefixes the 
term starts with. With this observation, the following result, together with Prop. 13.31 shows that J]] r is an 
isomorphism between labelled transition systems, if we restrict them, on the one hand, to proper terms 
and their transitions and, on the other, to the images of proper terms and the transitions of these images. 

Theorem 4.3 For all proper Q G §: 

l.Q^Q! (Q 0!) implies IQI- ^ lQ% (Mr \ [[Q'l, resp.); 

2- if Mr ^ Q" (llQl \ Q") then Q A Q' (Q \ Q>) with \Q% = Q". 
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The above theorem shows that the expressivity of proper PAFAS v processes is at most that of PAFAS, . 
On the other hand, it is enough to model safe Petri nets with read-arcs. To illustrate the proof idea, which 
is based on a well-known view of a net as a parallel composition, consider an empty place of a net with 
preset {fi ,?2} an d postset {£3, £4}, and being read by £5 and t^,. This is translated into process Po with 
Po <= t\.P\ + £2 -Pi and Pi 4= {£5, £6} > {ti-Po + U.Pq); Pi models the marked place. All the analogous 
translations of places are composed in parallel, synchronising each time over all common actions (e.g. 
net transitions). Finally, a relabelling corresponding to the labelling of the net is applied. 

Theorem 4.4 For each safe Petri nets with read-arcs in H22\l there is a bisimilar proper PAFAS s process. 

5 The backward translation from PAFAS r to PAFAS^ 

In this section we study the problem whether PAFAS,- is more expressive than PAFAS $ or whether each 
PAFAS, term can be translated into a bisimilar proper PAFAS $ term. We first exhibit a subset of P that is 
essentially the image of [[.]],- and so has an easy translation; we say these terms are in read normal form 
(RNF) (see Def. 15- lb - We then discuss how PAFAS r terms can be brought into RNF and illustrate, by 
means of examples, the problems of such a normalisation. 

Definition 5.1 (read normal form) For PAFAS r terms, we define read-guarded, and x- and rec -proper 
as above except for considering read-action prefixes instead of read-set prefixes. We call such a term 
ra-proper if each subterm Q\ + Q2 is read-guarded, and for each subterm p. Q' either Q' is read-guarded 
or Q' = v > Q". A term is RNF if it is rec- and ra-proper. The sets of terms and processes in RNF are 
denoted by P m and P m , resp. 

Below we provide the function that translates each Q G P„, into a proper term in S. We will need an 
additional function to deal with read prefixes. A term such as p\ >Q is in RNF if either Q is read-guarded 
or, by iterative applications of Def. 15.11 Q has the form p\ > • • • > p n > Q n where Q n G P,„ is read-guarded. 
In the latter case, the actions pi,--- ,p n must be collected in a read set. Since read sets cannot contain 
multiple copies (lazy and urgent) of the same action a, we use the following notation: if p\ , • • • ,p n are 
generic actions in A T UA T , |jUi,-*" jMh! denotes the set of actions {Vi,--- ,v m } such that: 3i S [l,m] 
with V; = a iff 3j G [l,n] with pj = a; (2) 3i € [l,m] with v,- = a iff 3j G [l,n] such that pj = a and, 
for each k £ [l,n], pu 7^ a. 

Definition 5.2 (a translation function from F rn to S) For Q G P m , we define the process term [[<2]]. s G § 
by induction on Q as in Definition 14.21 except for: 

Read: [[^1 > Q% = \p x , ■ ■ ■ ,Pn\ > \Q n % 

if Q = p\ > • • • t>p n > Q n and Q n is read-guarded 

With the laws LI and L2 below, we can rearrange successive read-action prefixes in a process in RNF 
such that the result is in the image of [[]] r , which essentially proves the second item of following result. 

Theorem 5.3 For all Q G P m : 

1. q A Qi or Q h r Q' imply Q' G P ra ; 

2. Q and \Q\ S are timed bisimilar (in the sense of PAFAS $ ). 



F. Corradini, M.R. Di Berardini & W. Vogler 



41 



Translating terms into read normal form 

For translating a term that is not in read normal form, one idea is to use laws to rewrite the term into a 
bisimilar one in RNF. E.g. although (a>b) + c does not belong to F rn , it has the same timed behaviour 
as a > (b + c) € P m , cf. L3. 

Besides commutativity and associativity of + and ||, we have shown the laws in Fig.Q] Here, <3>{a — > 
a} denotes the relabelling function that renames a to a, and all other actions as <J>. For the discussion, 
we also write [a — > a] as a shorthand for <&i{a — > a} where <!>/ is the identity relabelling function. The 



LI 
L2 
L3 
L4 

L5 
L6 
L7 



;itt>(v>0) ~v>Gu>0) 

a>(ju >0) ~ jU>G, aoGu^G) ~a> provided that /i e {a, a} 

(/i>g)+/?~/i>(g + *) 

a>(0i \\a Qi) ~ ((a>0i) IIauW («>G 2 )), 

£>(gi IU 22) ~ ((a>Gi) IIauW (0>fi2)) provided that a £ Sf(Q) 
(a>g)[0>] -<£(«)> (g[5>]), (a>g)[4>] ~<S>(a)>(g[4>]) 

(G[*])[*]~j2[*o*] 

recx.g ~ g{recjc.g/x} 



Figure 1 : A set of laws 

idea of the translation into RNF is to perform rewriting by induction on the term size; since action-prefix, 
parallel composition and relabelling preserve RNF, these operators are no problem. Read-prefixes }X > Q 
can be dealt with distributing pL among £?'s components. But choice and recursion pose still unsolved 
problems. 

Regarding read prefixes, we have to show the stronger claim that for each Q in RNF we can normalise 
H Q in such a way that, for any variable y, y guarded in Q implies y guarded in the RNF, and if 
additionally Q is y-proper this is also preserved. The proof is by induction on Q; some cases are easy 
because pL t> Q is in RNF itself (by the definition of RNF or by induction). We consider one of the 
three remaining cases, namely the Par-case. The Rel-case is easier, while the Rec-case is much more 
complicated. Their proofs can be found in the appendix. For a fresh action a we have: 

a > (0i IU Q2) ~ (fl> (01 IU 02)) [a -> a] ~ ((a > gi ) IIauW (a > Qi))[a -> a] 

by L4, and then we are done by induction. The case of an a-read-prefix is similar. 

The case of choice is particularly tricky whenever one of the two alternatives is a parallel composi- 
tion. Hence, we now concentrate on the following problem: let Q,R = R\ \\a R2 be terms in RNF; is there 
an S in RNF such that S ~ Q + Rl 

First, observe that we can rewrite into 0' by replacing all actions (also in relabellings) by fresh 
copies, such that 0' and 7? have disjoint sorts. Then, we can try to bring Q 1 + R into RNF and finally 
apply a relabelling that 'undoes' the rewrite (cf. the last example above). This would give us a bisimilar 
term in RNF for Q + R. From now on we assume that and R have disjoint sorts. 

If is deterministic (i.e. it never performs X and never performs an action in two different ways), we 
have the law 0+ (R\ |U ^2) ~ (0+^i) IUujz?(q) (6+^2)- Thus, to find S we now simply normalise the 
two components inductively. In general, this law fails: for = a.b + a.c, Q + R evolves with a into either 
b or c. But (Q + R\) |Uu{a,fc,c} (0 + ^2) can perform a and evolve into the deadlocked b |Uu{a,fe,c} c - 
A new idea that will work in many cases is to replace the second copy of by its 'top-part' that can 
perform the same time steps and the same initial actions as 0, but deadlocks after an ordinary action; 
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additionally, not all of ££ (Q) but only the initial actions are added to the synchronisation set: in our 
example, ((a.b + a.c) + R\) \\au{o} (^ + ^2) is bisimilar to Q + R and could, in principle, be normalised 
inductively. This idea must be adapted in case of read prefixes. Consider Q = a>b.c; here, the top-part 
is a>b, i.e. Q + R is bisimilar to (a>b.c + R\) \\Au{a,b} (a>b +R2) (in particular, both terms remain 
unchanged when performing a). Another problem is that initial actions may also be performed later, 
e.g. in Q = a > b.a; again, rewriting plus later relabelling helps. In the example, Q + R is bisimilar to 
{{e\>b.c + R\) I |au {<?,fo} (e>b + R2))[e — > a], and the terms et>b.c + R\ and e>b + R2 are again smaller 
than Q + R. 

But what is the top-part for Q = a ||q b? Action a can be performed initially, but also after b. If we 
could transform Q into a.b + b.a, the top-part would be a + b, and using rewriting plus later relabelling 
solves the problem. But unfortunately Q ~ a.b + b.a is wrong: when performing la, these terms end up 
in nil I0 b and b resp., which are not timed bisimilar due to partial time step {b}. 

Finding the top-part of parallel compositions seems to be related to finding a suitable expansion law. 
But even for standard PAFAS, such a law is not known. Thus, our general proof idea does not work so 
far, due to problems with choice terms. Also the treatment of recursion is not clear yet; an expansion law 
would certainly help. At least, we have identified a fragment of PAFAS,- which does not have additional 
expressivity. 

Theorem 5.4 If all choice and recursive subterms of a PAFAS,- process are in RNF then there is a bisim- 
ilar PAFAS S process. 

6 Conclusions and Future Work 

We have studied two different ways to enhance PAFAS with non-blocking reading actions. We have first 
added reading in the form of a read-action prefix operator and proved that this adds expressivity w.r.t. fair 
behaviour. This operator is very flexible, but has a slightly complex semantics. To reduce complexity, 
we have introduced a read-set prefix operator with a simpler semantics, but with syntactic restrictions. 
For the second operator, it is not immediately clear whether its operational semantics models reading 
behaviour adequately. We could prove this by translating proper PAFAS S terms into PAFAS,- terms with 
the same timed behaviour. We also show that PAFAS v is strong enough to model Petri nets with read-arcs. 

It is still not clear whether PAFAS,- is more expressive than the restricted PAFAS. S . We presented 
some ideas how a respective translation could work; these are based on some algebraic laws that are also 
interesting in their own right. In the future we will try to complete this translation. This is related to 
finding an expansion law for generic PAFAS r (and PAFAS) terms. Such an expansion law should also 
provide us with an axiomatisation for the full PAFAS language. Some results can be found in [21] where 
a fragment of the language that just consists of prefix and choice has been axiomatised. 

We plan to use read prefixes for modelling systems and comparing their efficiency or proving them 
correct under the progress assumption. A first correctness proof (for Dekker's MUTEX algorithm) with 
the aid of the automated verification tool FASE has been presented in |9ll . 
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